[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1005232: marked as done (bullseye-pu: package xterm/366-1+deb11u1)

Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id <c4d20274f6d76a43fb574d2177f6e3af4235e4be.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1005232,
regarding bullseye-pu: package xterm/366-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1005232: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005232
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

I have uploaded xterm 366-1+deb11u1 to fix #1004689 aka CVE-2022-24130
in bullseye.

[ Reason ]
CVE-2022-24130: xterm through Patch 370, when Sixel support is enabled,
allows attackers to trigger a buffer overflow in set_sixel in
graphics_sixel.c via crafted text.

[ Impact ]
An attacker could cause xterm to crash or possibly do worse things,
e.g. by luring the victim to cat(1) a specially crafted file.  In its
default configuration xterm does not interpret Sixel graphics, the user
needs to set the decTerminalID resource to a non-standard value or
invoke xterm with the -ti switch to enable Sixel support and become
vulnerable.

[ Tests ]
I have verified that the testcase at [1] no longer causes a crash with
the attached patch.

[ Risks ]
No official upstream release has been made yet, but the issue has been
addressed in current snapshots at [2].  The patch has been taken from
there and is identical to the one that went into xterm 370-2, currently
in unstable and testing.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Cheers,
       Sven


1. https://www.openwall.com/lists/oss-security/2022/01/30/3
2. https://github.com/ThomasDickey/xterm-snapshots/


diff -Nru xterm-366/debian/changelog xterm-366/debian/changelog
--- xterm-366/debian/changelog	2021-02-11 10:31:09.000000000 +0100
+++ xterm-366/debian/changelog	2022-02-07 20:14:01.000000000 +0100
@@ -1,3 +1,12 @@
+xterm (366-1+deb11u1) bullseye; urgency=medium
+
+  * Cherry-pick sixel graphics fixes from xterm 370d and 370f.
+    - Check for out-of-bounds condition while drawing sixels, and quit
+      that operation (report by Nick Black (CVE-2022-24130),
+      Closes: #1004689).
+
+ -- Sven Joachim <svenjoac@gmx.de>  Mon, 07 Feb 2022 20:14:01 +0100
+
 xterm (366-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru xterm-366/debian/patches/CVE-2022-24130.diff xterm-366/debian/patches/CVE-2022-24130.diff
--- xterm-366/debian/patches/CVE-2022-24130.diff	1970-01-01 01:00:00.000000000 +0100
+++ xterm-366/debian/patches/CVE-2022-24130.diff	2022-02-07 20:12:57.000000000 +0100
@@ -0,0 +1,73 @@
+Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
+ Check for out-of-bounds condition while drawing sixels, and quit that
+ operation (report by Nick Black, CVE-2022-24130).
+Bug-Debian: https://bugs.debian.org/1004689
+
+---
+ graphics_sixel.c |   25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/graphics_sixel.c
++++ b/graphics_sixel.c
+@@ -149,7 +149,7 @@ init_sixel_background(Graphic *graphic,
+     graphic->color_registers_used[context->background] = 1;
+ }
+ 
+-static void
++static Boolean
+ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ {
+     const int mh = graphic->max_height;
+@@ -170,7 +170,10 @@ set_sixel(Graphic *graphic, SixelContext
+ 	   ((color != COLOR_HOLE)
+ 	    ? (unsigned) graphic->color_registers[color].b : 0U)));
+     for (pix = 0; pix < 6; pix++) {
+-	if (context->col < mw && context->row + pix < mh) {
++	if (context->col >= 0 &&
++	    context->col < mw &&
++	    context->row + pix >= 0 &&
++	    context->row + pix < mh) {
+ 	    if (sixel & (1 << pix)) {
+ 		if (context->col + 1 > graphic->actual_width) {
+ 		    graphic->actual_width = context->col + 1;
+@@ -183,8 +186,10 @@ set_sixel(Graphic *graphic, SixelContext
+ 	    }
+ 	} else {
+ 	    TRACE(("sixel pixel %d out of bounds\n", pix));
++	    return False;
+ 	}
+     }
++    return True;
+ }
+ 
+ static void
+@@ -462,8 +467,12 @@ parse_sixel(XtermWidget xw, ANSI *params
+ 		init_sixel_background(graphic, &context);
+ 		graphic->valid = 1;
+ 	    }
+-	    if (sixel)
+-		set_sixel(graphic, &context, sixel);
++	    if (sixel) {
++		if (!set_sixel(graphic, &context, sixel)) {
++		    context.col = 0;
++		    break;
++		}
++	    }
+ 	    context.col++;
+ 	} else if (ch == '$') {	/* DECGCR */
+ 	    /* ignore DECCRNLM in sixel mode */
+@@ -531,8 +540,12 @@ parse_sixel(XtermWidget xw, ANSI *params
+ 	    if (sixel) {
+ 		int i;
+ 		for (i = 0; i < Pcount; i++) {
+-		    set_sixel(graphic, &context, sixel);
+-		    context.col++;
++		    if (set_sixel(graphic, &context, sixel)) {
++			context.col++;
++		    } else {
++			context.col = 0;
++			break;
++		    }
+ 		}
+ 	    } else {
+ 		context.col += Pcount;
diff -Nru xterm-366/debian/patches/series xterm-366/debian/patches/series
--- xterm-366/debian/patches/series	2021-02-11 10:28:06.000000000 +0100
+++ xterm-366/debian/patches/series	2022-02-07 20:12:57.000000000 +0100
@@ -1,3 +1,4 @@
 900_debian_xterm.diff
 902_windowops.diff
 904_fontops.diff
+CVE-2022-24130.diff

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.3

Hi,

The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.

Regards,

Adam

--- End Message ---
Reply to: